[Pkg-sysvinit-commits] r1020 - in sysvinit/trunk/debian: . patches
Petter Reinholdtsen
pere at costa.debian.org
Sat Oct 21 07:25:11 UTC 2006
Author: pere
Date: 2006-10-21 07:25:10 +0000 (Sat, 21 Oct 2006)
New Revision: 1020
Removed:
sysvinit/trunk/debian/patches/41_selinux_console.dpatch
Modified:
sysvinit/trunk/debian/changelog
sysvinit/trunk/debian/patches/00list
sysvinit/trunk/debian/patches/40_selinux.dpatch
Log:
* Replace SElinux patches 40_selinux and 41_selinux_console with updated
40_selinux from Manoj Srivastava. (Closes: #394304)
Modified: sysvinit/trunk/debian/changelog
===================================================================
--- sysvinit/trunk/debian/changelog 2006-10-20 19:57:51 UTC (rev 1019)
+++ sysvinit/trunk/debian/changelog 2006-10-21 07:25:10 UTC (rev 1020)
@@ -5,6 +5,8 @@
make sure it is mounted when the package is installed. Flag this
need using /usr/share/update-notifier/notify-reboot-required if it
exist. (Closes: #393465, #391605, #390126)
+ * Replace SElinux patches 40_selinux and 41_selinux_console with updated
+ 40_selinux from Manoj Srivastava. (Closes: #394304)
-- Petter Reinholdtsen <pere at debian.org> Thu, 19 Oct 2006 10:05:50 +0200
Modified: sysvinit/trunk/debian/patches/00list
===================================================================
--- sysvinit/trunk/debian/patches/00list 2006-10-20 19:57:51 UTC (rev 1019)
+++ sysvinit/trunk/debian/patches/00list 2006-10-21 07:25:10 UTC (rev 1020)
@@ -12,7 +12,6 @@
30_strip
31_build_warnings
40_selinux
-41_selinux_console
45_pidof_symlink
50_bootlogd_exitcode
51_bootlogd_syncalot
Modified: sysvinit/trunk/debian/patches/40_selinux.dpatch
===================================================================
--- sysvinit/trunk/debian/patches/40_selinux.dpatch 2006-10-20 19:57:51 UTC (rev 1019)
+++ sysvinit/trunk/debian/patches/40_selinux.dpatch 2006-10-21 07:25:10 UTC (rev 1020)
@@ -1,173 +1,27 @@
#! /bin/sh /usr/share/dpatch/dpatch-run
-## 40_selinux.dpatch by Manoj Srivastava
+## 40_selinux.dpatch by Manoj Srivastava <srivasta at debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
-## DP: Add support for SELinux.
+## DP: Add Selinux capabilities
@DPATCH@
-Index: trunk/src/init.c
-===================================================================
---- trunk/src/init.c (revisjon 34)
-+++ trunk/src/init.c (arbeidskopi)
-@@ -80,6 +80,157 @@
- sigaction(sig, &sa, NULL); \
- } while(0)
-+
+diff -uBbwr sysvinit-2.86.ds1.orig/src/init.c sysvinit-2.86.ds1/src/init.c
+--- sysvinit-2.86.ds1.orig/src/init.c 2006-10-19 14:57:57.000000000 -0500
++++ sysvinit-2.86.ds1/src/init.c 2006-10-19 15:15:17.000000000 -0500
+@@ -43,6 +43,11 @@
+ #include <sys/syslog.h>
+ #include <sys/time.h>
+
+#ifdef WITH_SELINUX
-+#include <sys/mman.h>
+#include <selinux/selinux.h>
-+#include <sepol/sepol.h>
-+#include <sys/mount.h>
-+
-+/* Mount point for selinuxfs. */
-+#define SELINUXMNT "/selinux/"
-+int enforcing = -1; /* SELinux enforcing mode */
-+
-+static int load_policy(int *enforce)
-+{
-+ int fd=-1,ret=-1;
-+ int rc=0, orig_enforce;
-+ struct stat sb;
-+ void *map;
-+ char policy_file[PATH_MAX];
-+ int policy_version=0;
-+ extern char *selinux_mnt;
-+ FILE *cfg;
-+ char buf[4096];
-+ int seconfig = -2;
-+
-+ selinux_getenforcemode(&seconfig);
-+
-+ mount("none", "/proc", "proc", 0, 0);
-+ cfg = fopen("/proc/cmdline","r");
-+ if (cfg) {
-+ char *tmp;
-+ if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
-+ if (tmp == buf || isspace(*(tmp-1))) {
-+ enforcing=atoi(tmp+10);
-+ }
-+ }
-+ fclose(cfg);
-+ }
-+#define MNT_DETACH 2
-+ umount2("/proc",MNT_DETACH);
-+
-+ if (enforcing >=0)
-+ *enforce = enforcing;
-+ else if (seconfig == 1)
-+ *enforce = 1;
-+
-+ if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
-+ if (errno == ENODEV) {
-+ printf("SELinux not supported by kernel: %s\n",strerror(errno));
-+ *enforce = 0;
-+ } else {
-+ printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
-+ }
-+ return ret;
-+ }
-+
-+ selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
-+
-+ policy_version=security_policyvers();
-+ if (policy_version < 0) {
-+ printf( "Can't get policy version: %s\n", strerror(errno));
-+ goto UMOUNT;
-+ }
-+
-+ orig_enforce = rc = security_getenforce();
-+ if (rc < 0) {
-+ printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
-+ goto UMOUNT;
-+ }
-+ if (enforcing >= 0) {
-+ *enforce = enforcing;
-+ } else if (seconfig == -1) {
-+ *enforce = 0;
-+ rc = security_disable();
-+ if (rc == 0) umount(SELINUXMNT);
-+ if (rc < 0) {
-+ rc = security_setenforce(0);
-+ if (rc < 0) {
-+ printf("Can't disable SELinux: %s\n", strerror(errno));
-+ goto UMOUNT;
-+ }
-+ }
-+ ret = 0;
-+ goto UMOUNT;
-+ } else if (seconfig >= 0) {
-+ *enforce = seconfig;
-+ if (orig_enforce != *enforce) {
-+ rc = security_setenforce(seconfig);
-+ if (rc < 0) {
-+ printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
-+ goto UMOUNT;
-+ }
-+ }
-+ }
-+
-+ snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
-+ fd = open(policy_file, O_RDONLY);
-+ if (fd < 0) {
-+ /* Check previous version to see if old policy is available
-+ */
-+ snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
-+ fd = open(policy_file, O_RDONLY);
-+ if (fd < 0) {
-+ printf( "Can't open '%s.%d': %s\n",
-+ selinux_binary_policy_path(),policy_version,strerror(errno));
-+ goto UMOUNT;
-+ }
-+ }
-+
-+ if (fstat(fd, &sb) < 0) {
-+ printf("Can't stat '%s': %s\n",
-+ policy_file, strerror(errno));
-+ goto UMOUNT;
-+ }
-+
-+ map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-+ if (map == MAP_FAILED) {
-+ printf( "Can't map '%s': %s\n",
-+ policy_file, strerror(errno));
-+ goto UMOUNT;
-+ }
-+
-+
-+ /* Set booleans based on a booleans configuration file. */
-+ ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
-+ if (ret < 0) {
-+ if (errno == ENOENT || errno == EINVAL) {
-+ /* No booleans file or stale booleans in the file; non-fatal. */
-+ printf("Warning! Error while setting booleans: %s\n"
-+ , strerror(errno));
-+ } else {
-+ printf("Error while setting booleans: %s\n",
-+ strerror(errno));
-+ goto UMOUNT;
-+ }
-+ }
-+ printf("Loading security policy\n");
-+ ret=security_load_policy(map, sb.st_size);
-+ if (ret < 0) {
-+ printf("security_load_policy failed\n");
-+ }
-+
-+ UMOUNT:
-+ /*umount(SELINUXMNT); */
-+ if ( fd >= 0) {
-+ close(fd);
-+ }
-+ return(ret);
-+}
+#endif
+
+
- /* Version information */
- char *Version = "@(#) init " VERSION " " DATE " miquels at cistron.nl";
- char *bootmsg = "version " VERSION " %s";
-@@ -2599,6 +2750,7 @@
+ #ifdef __i386__
+ # if (__GLIBC__ >= 2)
+ /* GNU libc 2.x */
+@@ -2599,6 +2604,7 @@
char *p;
int f;
int isinit;
@@ -175,20 +29,20 @@
/* Get my own name */
if ((p = strrchr(argv[0], '/')) != NULL)
-@@ -2662,6 +2814,21 @@
+@@ -2662,6 +2668,21 @@
maxproclen += strlen(argv[f]) + 1;
}
+#ifdef WITH_SELINUX
+ if (getenv("SELINUX_INIT") == NULL) {
+ putenv("SELINUX_INIT=YES");
-+ if (load_policy(&enforce) == 0 ) {
++ if (selinux_init_load_policy(&enforce) == 0 ) {
+ execv(myname, argv);
+ } else {
+ if (enforce > 0) {
+ /* SELinux in enforcing mode but load_policy failed */
+ /* At this point, we probably can't open /dev/console, so log() won't work */
-+ fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n");
++ fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+ exit(1);
+ }
+ }
@@ -197,98 +51,11 @@
/* Start booting. */
argv0 = argv[0];
argv[1] = NULL;
-Index: trunk/src/killall5.c
-===================================================================
---- trunk/src/killall5.c (revisjon 34)
-+++ trunk/src/killall5.c (arbeidskopi)
-@@ -165,8 +165,11 @@
-
- /*
- * Read the proc filesystem.
-+ * since pidOf does not use process sid added a needSid flag to eliminate
-+ * the need of this privs for SELinux
-+ *
- */
--int readproc()
-+int readproc(int needSid)
- {
- DIR *dir;
- FILE *fp;
-@@ -259,7 +262,17 @@
- free(p);
- continue;
- }
--
-+ if (needSid) {
-+ p->sid = getsid(pid);
-+ if (p->sid < 0) {
-+ p->sid = 0;
-+ nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
-+ free(p);
-+ continue;
-+ }
-+ } else {
-+ p->sid = 0;
-+ }
- snprintf(path, sizeof(path), "/proc/%s/cmdline", d->d_name);
- if ((fp = fopen(path, "r")) != NULL) {
-
-@@ -519,7 +532,7 @@
- argv += optind;
-
- /* Print out process-ID's one by one. */
-- readproc();
-+ readproc(0);
- for(f = 0; f < argc; f++) {
- if ((q = pidof(argv[f])) != NULL) {
- spid = 0;
-@@ -600,7 +613,7 @@
- sent_sigstop = 1;
-
- /* Read /proc filesystem */
-- if (readproc() < 0) {
-+ if (readproc(1) < 0) {
- kill(-1, SIGCONT);
- exit(1);
- }
-Index: trunk/src/sulogin.c
-===================================================================
---- trunk/src/sulogin.c (revisjon 34)
-+++ trunk/src/sulogin.c (arbeidskopi)
-@@ -28,6 +28,10 @@
- # include <crypt.h>
- #endif
-
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#include <selinux/get_context_list.h>
-+#endif
- #define CHECK_DES 1
- #define CHECK_MD5 1
-
-@@ -335,6 +339,16 @@
- signal(SIGINT, SIG_DFL);
- signal(SIGTSTP, SIG_DFL);
- signal(SIGQUIT, SIG_DFL);
-+#ifdef WITH_SELINUX
-+ if (is_selinux_enabled > 0) {
-+ security_context_t* contextlist=NULL;
-+ if (get_ordered_context_list("root", 0, &contextlist) > 0) {
-+ if (setexeccon(contextlist[0]) != 0)
-+ fprintf(stderr, "setexeccon faile\n");
-+ freeconary(contextlist);
-+ }
-+ }
-+#endif
- execl(sushell, shell, NULL);
- perror(sushell);
-
-Index: trunk/src/Makefile
-===================================================================
---- trunk/src/Makefile (revisjon 34)
-+++ trunk/src/Makefile (arbeidskopi)
-@@ -49,6 +49,18 @@
- INSTALL = install -o $(BIN_OWNER) -g $(BIN_GROUP)
+diff -uBbwr sysvinit-2.86.ds1.orig/src/Makefile sysvinit-2.86.ds1/src/Makefile
+--- sysvinit-2.86.ds1.orig/src/Makefile 2006-10-19 14:57:57.000000000 -0500
++++ sysvinit-2.86.ds1/src/Makefile 2006-10-19 15:09:30.000000000 -0500
+@@ -51,6 +51,18 @@
+ INSTALL_DATA = install -o $(BIN_OWNER) -g $(BIN_GROUP) -m 644
MANDIR = /usr/share/man
+ifeq ($(WITH_SELINUX),yes)
@@ -306,7 +73,7 @@
# Additional libs for GNU libc.
ifneq ($(wildcard /usr/lib/libcrypt.a),)
LCRYPT = -lcrypt
-@@ -57,7 +69,7 @@
+@@ -59,7 +71,7 @@
all: $(BIN) $(SBIN) $(USRBIN)
init: init.o init_utmp.o
@@ -315,7 +82,7 @@
halt: halt.o ifdown.o hddown.o utmp.o reboot.h
$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
-@@ -78,7 +90,7 @@
+@@ -80,7 +92,7 @@
$(CC) $(LDFLAGS) -o $@ runlevel.o
sulogin: sulogin.o
@@ -324,7 +91,7 @@
wall: dowall.o wall.o
$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
-@@ -89,8 +101,11 @@
+@@ -91,8 +103,11 @@
bootlogd: bootlogd.o
$(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
@@ -337,3 +104,40 @@
utmp.o: utmp.c init.h
$(CC) -c $(CFLAGS) utmp.c
+diff -uBbwr sysvinit-2.86.ds1.orig/src/sulogin.c sysvinit-2.86.ds1/src/sulogin.c
+--- sysvinit-2.86.ds1.orig/src/sulogin.c 2006-10-19 14:57:03.000000000 -0500
++++ sysvinit-2.86.ds1/src/sulogin.c 2006-10-19 15:19:24.000000000 -0500
+@@ -28,6 +28,11 @@
+ # include <crypt.h>
+ #endif
+
++#ifdef WITH_SELINUX
++# include <selinux/selinux.h>
++# include <selinux/get_context_list.h>
++#endif
++
+ #define CHECK_DES 1
+ #define CHECK_MD5 1
+
+@@ -335,6 +340,21 @@
+ signal(SIGINT, SIG_DFL);
+ signal(SIGTSTP, SIG_DFL);
+ signal(SIGQUIT, SIG_DFL);
++#ifdef WITH_SELINUX
++ if (is_selinux_enabled > 0) {
++ security_context_t scon=NULL;
++ char *seuser=NULL;
++ char *level=NULL;
++ if (getseuserbyname("root", &seuser, &level) == 0)
++ if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
++ if (setexeccon(scon) != 0)
++ fprintf(stderr, "setexeccon faile\n");
++ freecon(scon);
++ }
++ free(seuser);
++ free(level);
++ }
++#endif
+ execl(sushell, shell, NULL);
+ perror(sushell);
+
Deleted: sysvinit/trunk/debian/patches/41_selinux_console.dpatch
===================================================================
--- sysvinit/trunk/debian/patches/41_selinux_console.dpatch 2006-10-20 19:57:51 UTC (rev 1019)
+++ sysvinit/trunk/debian/patches/41_selinux_console.dpatch 2006-10-21 07:25:10 UTC (rev 1020)
@@ -1,74 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 41_selinux_console.dpatch by <jdthood at yahoo.co.uk>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
- at DPATCH@
-diff -urNad --exclude=CVS --exclude=.svn ./src/init.c /tmp/dpep-work.tcSHzc/trunk/src/init.c
---- ./src/init.c 2006-01-27 16:52:38.000000000 +0100
-+++ /tmp/dpep-work.tcSHzc/trunk/src/init.c 2006-01-27 16:55:20.000000000 +0100
-@@ -89,6 +89,7 @@
-
- /* Mount point for selinuxfs. */
- #define SELINUXMNT "/selinux/"
-+#define BUF_CHARS (size_t)4096
- int enforcing = -1; /* SELinux enforcing mode */
-
- static int load_policy(int *enforce)
-@@ -101,16 +102,20 @@
- int policy_version=0;
- extern char *selinux_mnt;
- FILE *cfg;
-- char buf[4096];
-+ char *buf;
- int seconfig = -2;
-
-+ buf = malloc(BUF_CHARS * sizeof(char));
-+ if (!buf)
-+ return -1;
-+
- selinux_getenforcemode(&seconfig);
-
- mount("none", "/proc", "proc", 0, 0);
- cfg = fopen("/proc/cmdline","r");
- if (cfg) {
- char *tmp;
-- if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
-+ if (fgets(buf, BUF_CHARS, cfg) && (tmp = strstr(buf, "enforcing="))) {
- if (tmp == buf || isspace(*(tmp-1))) {
- enforcing=atoi(tmp+10);
- }
-@@ -127,14 +132,21 @@
-
- if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
- if (errno == ENODEV) {
-- printf("SELinux not supported by kernel: %s\n",strerror(errno));
- *enforce = 0;
-+ snprintf(buf, BUF_CHARS, "Warning: SELinux not supported by kernel: %s\n",strerror(errno));
-+ print(buf);
-+ free(buf);
-+ return ret;
- } else {
-- printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
-+ snprintf(buf, BUF_CHARS, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
-+ print(buf);
-+ free(buf);
-+ return -1;
- }
-- return ret;
- }
-
-+ free(buf);
-+
- selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
-
- policy_version=security_policyvers();
-@@ -228,6 +240,7 @@
- }
- return(ret);
- }
-+#undef BUF_CHARS
- #endif
-
-
More information about the Pkg-sysvinit-commits
mailing list